Our well respected peer Bruce Schneier as an interesting post about an article on the failure of two factor authentication. 

According to the article, phishers are using some new techniques to bypass the two factor authentication that some banks are using for account access.  The phishers are spoofing the bank sites elsewhere (as ususal), and are including the fields for the token entry for login.  When the unsuspecting user enters the token into the ohisher’s site, the site then contacts the real bank and presents the credentials as provided bu the user – so if the token is wron, they can modify the spoofed error page
until they get a correct one.

Pretty slick.

The article refers to this as a “man in the middle attack”, and while I don’t agree with that description (in the traditional sense), I think that it sums it up for the end user. 

Now, I certainly don’t think that two factor authentication is dead, but at least take a good look at how the whole system works.  And now it appears that we need to account for these type of issues when designing two facto authentication systems.

– Larry

Failure of Two-Factor Authentication

Here’s a report of phishers defeating two-factor authentication using a man-in-the-middle attack.

The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit — a tactic used by some security-savvy people — you might be fooled. That’s because this site acts as the “man in the middle” — it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.

I predicted this last year.